Just an FYI
I hope the #SBOM <https://www.linkedin.com/feed/hashtag/?keywords=sbom&highlightedUpdateUrns= urn%3Ali%3Aactivity%3A7002322440945033216> community is aware of the "Anti-SBOM" campaign currently underway from the Information Technology Industry Council (ITI) <https://www.linkedin.com/company/information-technology-industry-council/> . This excerpt from a recent ITI letter shows a clear lack of empathy for software consumers that need an SBOM to monitor for vulnerabilities in installed software. Discourage agencies from requiring artifacts until SBOMs are scalable and consumable. We recognize and appreciate the value of flexibility built into the OMB process. Given the current level of (im-)maturity, we believe that SBOMs are not suitable contract requirements yet. The SBOM conversation needs more time to move towards a place where standardized SBOMs are scalable for all software categories and can be consumed by agencies. At this time, it is premature and of limited utility for software producers to provide an SBOM. We ask that OMB discourage agencies from requiring artifacts until there is a greater understanding of how they ought to be provided and until agencies are ready to consume the artifacts that they request. Here's an article I posted on Energy Central regarding the November 22, 2022 ITI letter to OMB: https://energycentral.com/c/pip/trade-org-urges-omb-%E2%80%98harmonize%E2%80 %99-secure-software-development-practices Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4854): https://lists.spdx.org/g/Spdx-tech/message/4854 Mute This Topic: https://lists.spdx.org/mt/95291208/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
